In this tutorial, we’ll be looking at the low entropy issue that the GPG command complains about when attempting to generate a key pair.
2. Entropy in Linux
Entropy is a concept that measures the degree of randomness and uncertainty in a system. For security applications that rely on randomly generated bytes, it’s important to ensure the random number generator source has high entropy. This is because random numbers generated by high entropy sources are less predictable and, therefore, result in a more secure secret.
On the other hand, a low entropy generator will generate random numbers that are easily predictable and, therefore, compromise the security of the secret.
In Linux, /dev/random and /dev/urandom are the two special device files that, upon reading, provide a sequence of random bytes. To ensure the random numbers generated are of high entropy, the /dev/random device file will block when there’s not enough entropy in the system.
Typically, the Linux system collects this randomness from the mouse and keyboard activity, hard disk drive activity, and network activity.
3. Insufficient Random Bytes Error When Generating GPG Keys
One common problem we can face when generating a GPG key pair is that the command complains it doesn’t have enough random bytes. For instance:
Not enough random bytes available. Please do some other work to give the OS a chance to collect more entropy! (Need 210 more bytes)**
Internally, the gpg command reads the random bytes from the /dev/random device file to generate the key pair. When the entropy is low, the /dev/random blocks, which leads the gpg command to tell the users it needs more entropy.
This problem is especially prominent in a headless environment, where the lack of GUI and peripheral device activity greatly reduce the availability of entropy.
To solve this problem, we’ll need to perform activities that introduce randomness, thereby increasing the entropy pool. The popular ways of increasing the entropy pool in a system involve extensive GUI and disk operations. While those methods work, they’re mostly manual and require users to run them whenever there’s a need.
Let’s now look at how we can use rngd to start a background job that continuously increases the entropy pool.
4. Populating the Entropy Pool Using rngd
The rngd command is a Linux command-line tool that takes a random number sequence from an input device and feeds it into the kernel entropy pool. It has the added benefit of being able to run in the background so that the user doesn’t have to worry about the lack of entropy again.
4.1. Installing rngd
To install rngd, we can install the rng-tools package using the package manager on our system.
For instance, in Debian-based Linux, we’ll run apt-get install rng-tools:
$ sudo apt-get update -qq $ sudo apt-get install -y rng-tools
Finally, we verify the presence of the rngd command by running rngd –version:
$ rngd --version rngd 5
4.2. Starting the rngd Process
To populate the system’s entropy pool using the rngd command, we simply run rngd:
$ sudo rngd
The command will start the rngd process in the background. Then, the background process feeds the /dev/random device file with data coming from the hardware random number generator, /dev/hwrandom.
4.3. Specifying Different Random Number Generator Devices
By default, the rngd commands feed the random bytes coming from hardware number generator device files such as /dev/hwrng and /dev/hwrandom. When a hardware random number generator is not present in the system, the absence of the special device file causes the rngd command to display an error message:
$ sudo rngd read error read error
To change the source of the random number that rngd should read from, we can specify the -r option followed by the device path.
For instance, let’s use the /dev/urandom random number generator as the source:
$ sudo rngd -r /dev/urandom
Now, instead of a hardware random number generator, we’re feeding the entropy pool using random numbers generated by /dev/urandom.
In this tutorial, we’ve looked briefly at the concept of entropy and how it’s important for generating a secure key pair. Then, we’ve seen how the GPG command can complain about the lack of entropy when generating key pairs. Finally, we’ve introduced the rngd command-line tool, which fills up the system entropy pool using another random number generator.